CVE-1999-0730

Vulnerability

The zsoelim program, part of the Debian man-db package, is susceptible to a symlink attack. It creates temporary files in /tmp with predictable names, such as /tmp/zman0aaa. The program does not check for the existence of symbolic links and will follow them, allowing local users to overwrite arbitrary files with the permissions of the user running the man command. This affects versions of man-db that include this utility [1].

Exploitation

A local attacker can exploit this vulnerability by creating symbolic links in /tmp that point to sensitive files. The zsoelim utility, when invoked by the man command, will follow these symlinks. The attacker needs to race with the zsoelim process to create the symlink before the temporary file is created. An example exploit involves using a Perl script to create multiple symlinks pointing to /etc/nologin [1].

Impact

Successful exploitation allows a local attacker to overwrite arbitrary files on the system with the privileges of the user running the man command. This could lead to denial of service or potentially allow an attacker to modify critical system files, impacting the confidentiality, integrity, and availability of the system.

Mitigation

This vulnerability was addressed in later versions of the man-db package. Users are advised to update to a patched version of man-db. Specific fixed version and release dates are not detailed in the available references. No workarounds are mentioned, and the vulnerability is not listed as being actively exploited in the wild or part of known exploited vulnerabilities.